SmartND and PIPEDA – Our Commitment to Privacy and Security

One of the most important aspects of an EMR is its secure handling of private information. Thousands of private medical charts are being stored on our servers on a daily basis, and we believe it is important for you to know just what measures we have taken and what guidelines we are following to ensure the privacy and security of your data.

PIPEDA (The Personal Information Protection and Electronic Documents Act) is a set of rules and guidelines developed in Canada that govern the collection, use or disclosure of personal information about an identifiable individual; in our case, medical records. The Office of the Privacy Commissioner of Canada has prepared a guide to help organizations like SmartND fulfill their responsibilities under PIPEDA. The following is a summary of the guidelines and steps that SmartND has taken to comply with PIPEDA.

Keep in mind that although there may be some ambiguity in the wording used in this article, we only storemedical information – we do not collectit. As such, it is assumed that the practitioner who is collecting the information form their patients has obtained the proper consent to do so. Although SmartND provides methods for practitioners to record that they have obtained consent from their patients, we do not monitor nor do we verify or audit this consent.

Accountability.

The accountability guideline requires that one individual be taken as accountable for adherence to the principles of PIPEDA. SmartND has appointed a Privacy Officer to take on this accountability and ensure that SmartND complies with all aspects of PIPEDA. The Privacy Officer for SmartND is Mr. Venk Prabhu. One of the roles of the privacy officer is to answer the following questions:

What personal information do we collect and is it sensitive? We collect personal contact information and store medical information entered by healthcare practitioners and their patients. Some of this information can be considered sensitive.

Why do we collect it? We collect and store this information as a service to health care providers so that they can more effectively fulfill their responsibilities to their patients. A health care provider’s role is to collect information from their patients in order to assess their condition and provide a treatment plan. We provide a service to help store this information, and allow health care providers as well as patients the ability to retrieve this information as necessary.

How do we collect it? We collect this information through a cloud-based service called SmartND.

What do we use it for? Personally identifiable information is never used for any purpose other than to display this information to specific healthcare providers. Non identifieable information is used to generate statistical reports on the usage of the SmartND service. These statistical reports do not contain any personally identifiable information, and are only used to improve the service and/or provide valuable statistical insights into the industry.

Where do we keep it? This data is stored in the country of origin, on physical computer servers, under 24/7 security.

How is it secured? The information is secured in many ways. The physical databases are secured by 24/7 security by reputable third-party hosting providers. The service itself uses SSL-based security to protect data entered into our service via the web-based application.

Who has access to or uses it? Healthcare practitioners have access to all the data they have entered, and any data that has been share with them by other practitioners. Patients have access to their treatment plans and any other data that has been shared with them by the practitioners. SmartND staff have access to the databases but adhere to a strict security protocol, where the database tables of personally identifiable information are kept separate from the medical information itself.

To whom is it disclosed? Personally identifiable information is never disclosed to any 3rd party by SmartND, unless required to by law. In the case of a legal requirement, SmartND will first communicate this to the practitioner involved, and give them enough time to oppose the request.

When is it disposed of? Data on SmartND servers will not be disposed of. If ever SmartND is required to dispose of data, all data will be returned to the author of the data prior to disposal.

Identifying purposes.

This guideline requires us to identify the reasons for collecting personal information at the time of collection: Personal contact information which is collected through the process of creating an account on SmartND is required in order for us to identify the individual creating the account. This identification is used to secure the account against unauthorized access, and to establish customer eligibility for special offers or discounts. We do not collect medical information and only serve as a storage service for this data.

Consent

This guideline requires us to obtain informed consent for the collection of personal data. As we do not collect medical data, we do not obtain consent from patients – this is the responsibility of the practitioner. However we do collect personal information for the purpose identified above, and we use this information as described above. As the process of opening an account for online services is not a novel use of personal data, we assume that the individual creating an account on our service is implying consent that we use this personal information for the purposes of opening an account. The individual opening an account on SmartND is also required to agree to our Terms of Service and Privacy Policy.

Limiting collection

This guideline requires us to not collect information indiscriminately. All the information that we collect ( we do not collect medical information) is used as described above, and no irrelevant information is collected.

Limiting use, disclosure, and retention

This guideline requires us to use collected information only for the reasons specified above, and to disclose this information only if necessary and if authorized by the PIPEDA guidelines. SmartND does only use the information collected for the purposes identified above.

Accuracy

This guideline requires us to be accurate about the use of the information collected. Our information collection methods are tested and do accurately store the right information in association with the right individual. If ever an error does occur, we are available to discuss the error and remedy it upon request.

Safeguards

This guideline requires us to use appropriate safeguards to protect personal information against loss or theft, unauthorized access, disclosure, copying, use or modification. Our safety protocols are identified above, and we are using industry standard SSL connections during data collection to prevent theft of sensitive information.

Openness

This guideline requires us to be open about the method we have used to safeguard personal information. This document serves that purpose.

Individual access

This guideline requires us to allow individuals to have access to any personal information we store about them. Any medical information stored on our servers is always accessible to the practitioner who collected and authored the information. Should a patient request information from us regarding personal data that has been entered into our system by a practitioner, the practitioner will be contacted immediately and informed of this request. The practitioner will then be given an appropriate amount of time to respond to the patient’s request. Patients must make their request for personal information through a practitioner.

Provide Recourse

This guideline requires us to provide a simple means for our users to place complaints. Complaints may be sent to info@smartnd.ca. We will investigate all complaints received.